Skip to content

Latest commit

 

History

History
85 lines (65 loc) · 2.95 KB

README.md

File metadata and controls

85 lines (65 loc) · 2.95 KB

SciTokens Credential Monitor

This package implements a HTCondor credential monitor (a "credmon") for the SciTokens project. The credential monitor allows users to generate tokens based on OAuth workflows or through the presence of a local private key accessible to the credmon.

Installing the Credmon

NOTE We have not yet written installation routines for the credmon.

For now, check out the source code to a publicly-readable location such as /var/lib/scitokens-credmon

Additionally, create the following directory:

/var/lib/condor/credential

and chmod it to 0700.

Enabling the Credmon

After installation of the credmon binaries, the admin needs to inform HTCondor of the location of the credmon and that it should be run by default.

On the condor_schedd host, add the following to a configuration file in /etc/condor/config.d or wherever the $CONDOR_CONFIG variable references:

# The credential producer invoked by `condor_submit`; causes the credd to be invoked
# prior to the job being submitted.
SEC_CREDENTIAL_PRODUCER = /var/lib/scitokens-credmon/bin/scitokens_credential_producer

SEC_CREDENTIAL_DIRECTORY = /var/lib/condor/credential
# PYTHONPATH only needs to be set if the credmon is not installed to system Python
SEC_CREDENTIAL_MONITOR_ENVIRONMENT = "PYTHONPATH=/var/lib/scitokens-credmon"
SEC_CREDENTIAL_MONITOR = /var/lib/scitokens-credmon/bin/condor_credmon
SEC_CREDENTIAL_MONITOR_LOG = /var/log/condor/CredmonLog
DAEMON_LIST = $(DAEMON_LIST), CREDD, SEC_CREDENTIAL_MONITOR

Further, on the condor execute hosts, add:

STARTER.CREDD_OAUTH_MODE = TRUE
# NOTE: credd will refuse to transfer tokens on a non-encrypted link.
SEC_DEFAULT_ENCRYPTION=REQUIRED

Local Credmon Mode

In the "local mode", the credmon will use a provided private key to sign a SciToken directly, bypassing any OAuth callout. This is useful in the case where the admin wants a less-complex setup than a full OAuth deployment.

To setup the local credmon mode, the following configuration directives are mandatory

# Path to the private keyfile
LOCAL_CREDMON_PRIVATE_KEY = /etc/condor/scitokens_ec_private.key
# Each key must have a name that relying parties can look up.
LOCAL_CREDMON_PRIVATE_KEY_ID = key-es356
# The issuer location; relying parties will need to be able to access this issuer to
# download the corresponding public key.
LOCAL_CREDMON_ISSUER = https://demo.scitokens.org

Additionally, the following may be customized

# The authorizations given to the token.  Should be of the form `authz:path` and
# space-separated for multiple authorizations.  The token `{username}` will be
# expanded with the user's Unix username.
# LOCAL_CREDMON_AUTHZ_TEMPLATE = read:/user/{username} write:/user/{username}

# The lifetime, in seconds, for a new token.  The credmon will continuously renew
# credentials on the submit-side.
LOCAL_CREDMON_TOKEN_LIFETIME = 1200